Who is Participating?

I found the culprit. The certificates were ok, but the reason why the users were asked for credentials twice was because the "users" on the exchange publishing rule were set to only "Authenticated users", instead of "All users". Therefore TMG asked for credentials first, before letting them authenticate to the Exchange server.

Yes, get an error here. But I have tested some more and I see that it works for another domain that is configured on the same TMG and the same Exchange server. The only difference is the certificate. It seems that there is a connection problem/trust between the two servers regarding the new certificate